All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SRX Indexing

mad4wknds
Path Finder
‎01-25-2014 02:05 PM

I am able to see srx_logs in a new index "SRX" but I want it to go to the "main" index. I can not see SRX logs in the search app when changing Splunk>etc>System>local>Inputs.conf>[UDP://514] index=main

BTW:I can see other source types in the "main" index.

Tags (1)
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎01-26-2014 10:48 AM

One possibility is that there is a transforms.conf being utilized that is forcing an index name. Are you using a Juniper app to view the data? This is probably the case if there happens to be an SRX index that you did not create.

There is also a possibility that the date/time extraction is not happening properly, or the timezone is not set properly. If that is the case and you're looking over a relative time period (say back 15 minutes) or even all-time, your search may not return the events showing up from the SRX. When running your search, select real-time -> All Time (real-time) on the time picker. This should show events coming in (if they actually are coming in) regardless of whether or not they have a future time set.

Reply

mad4wknds
Path Finder
‎01-26-2014 03:54 PM

I found the answer to my problem. I had never used the btool before. I analyzed the "default" props.conf file. and found some extra configs there.

OK I know not to modify default files. I just inherited this environment. Thanks for the suggestion.

0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎01-26-2014 12:35 PM

Splunk would not put the data in an index you created unless it's directed to. You can run btool to look at your active configuration and that may lead you to the answer:

splunk cmd btool inputs list --debug

http://docs.splunk.com/Documentation/Splunk/6.0.1/Troubleshooting/Usebtooltotroubleshootconfiguratio...

Reply

mad4wknds
Path Finder
‎01-26-2014 12:23 PM

I created the "SRX" index as a test to see if I could get any firewall data in the search app at all. I have the SRX app but I have to get it into the search app first. I have tried changing the index to "main" and "summary" neither of them work. No local Transforms.conf defined. And Date/Time extractions is not the issue.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...